Simpson Associates – Data Processing Agreement

1. Interpretation

1.1 The definitions and rules of interpretation in this Data Protection Schedule is as follows.

Client: shall mean the customer of Simpson Associates.

Data Controller, Data Processor, Personal Data, Data Subject and process/processing: shall have the meanings given to them in the Data Protection Legislation .

Data Protection Legislation: the UK Data Protection Legislation and any other European Union legislation relating to personal data and all other legislation and regulatory requirements in force from time to time which apply to a Party relating to the use of personal data (including, without limitation, the privacy of electronic communications) and the guidance and codes of practice issued by the relevant data protection or supervisory authority and applicable to a Party.

UK Data Protection Legislation: all applicable data protection and privacy legislation in force from time to time in the UK including the General Data Protection Regulation ((EU) 2016/679); the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

2. Client Data

2.1 Both Parties will comply with all applicable requirements of the Data Protection Legislation. This Clause 2 is in addition to, and does not relieve, remove or replace, a Party’s obligations or rights under the Data Protection Legislation.

2.2 The Parties acknowledge that for the purposes of the Data Protection Legislation, if Simpson Associates processes any Personal Data on the Client’s behalf when performing its obligations under the Contract, the Client is the Data Controller and Simpson Associates is the Data Processor.

2.3 The Client warrants that it will comply with all its obligations as Data Controller under the Data Protection Legislation.

2.4 Without prejudice to the generality of Clause 2.2, the Client will ensure that it has all necessary and appropriate consents and notices in place to enable lawful transfer of the Personal Data to Simpson Associates for the duration and purposes of this Data Protection Schedule.

2.5 Without prejudice to the generality of Clause 2.2, Simpson Associates shall, in relation to any Personal Data processed in connection with the performance by Simpson Associates of its obligations under a Statement of Work or this Agreement:

process that Personal Data only on the written instructions of the Client unless Simpson Associates is required by the laws of any member of the European Union or by the laws of the European Union applicable to Simpson Associates and/or UK Data Protection Legislation to process Personal Data (“Applicable Laws”). Where Simpson Associates is relying on Applicable Laws as the basis for processing Personal Data, Simpson Associates shall promptly notify the Client of this before performing the processing required by the Applicable Laws unless those Applicable Laws prohibit Simpson Associates from so notifying the Client;

ensure that it has in place appropriate technical and organisational measures, reviewed and approved by the Client, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting Personal Data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to Personal Data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by it);

ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential; and

not transfer any Personal Data outside of the European Economic Area unless the prior written consent of the Client has been obtained and one of the following conditions are fulfilled:

the Client or Simpson Associates has provided appropriate safeguards in relation to the transfer;

the Data Subject has enforceable rights and effective legal remedies;

Simpson Associates complies with its obligations under the Data Protection Legislation by providing an adequate level of protection to any Personal Data that is transferred; and

Simpson Associates complies with reasonable instructions notified to it in advance by the Client with respect to the processing of the Personal Data;

assist the Client, at the Client’s cost, in responding to any request from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

notify the Client without undue delay on becoming aware of a Personal Data breach;

at the written direction of the Client, delete or return Personal Data and copies thereof to the Client on termination of a Statement of Work unless required by Applicable Law to store the Personal Data; and

maintain complete and accurate records and information to demonstrate its compliance with this Clause 2 to allow for audits.

2.6 The Client hereby consents to Simpson Associates appointing third party processors of the Personal Data on the condition that Simpson Associates confirms for each such third party processor that it has entered or (as the case may be) will enter into a written agreement with the third party processor incorporating terms which are as similar as possible to those set out in this Clause 2.

Main Office: Regency House, York Business Park, Poppleton, York, North Yorkshire, YO26 6RW